Would anybody be able to tell us why our SSL certificate is failing PCI scans? Qualys PCI reports: "Server Supports Weak Encryption Vulnerability (QID: 38140)"
However when I check mail.aqualisa.co.uk (redirects to https) on www.digicert.com/help it reports "Signature algorithm = SHA1 + RSA (good)"
Any pointers would be very helpful thank you.
To fix this vulnerability you will need to change your server configuration to not allow connections with weak encryption. Try running an SSL Server Test to find out what protocols and cipher suites your server supports.
We do have a VM subscription and we could not find a way to resolve the > SSL Server Supports Weak Encryption Vulnerability (QID: 38140). We don’t know what the scan is looking for nor do we have any experience in setting those cipher parameters. We are not seeking for Certification checking nor checking to see of any of them expired\soon to expire. The SSL Server Test is good for external, but what about internal? overall what is the solution to remediate QID 38140. Thank you
The KnowledgeBase entry for QID 38140 under the Threat section identifies LOW grade ciphers as those with a small key length. Under the Solution section it proposes some common configuration options for Apache and Tomcat, and provides links for IIS configuration.
(If memory serves, the UNIX command-line client openssl can also be asked to produce a list of LOW grade ciphers as follows: openssl ciphers LOW. Any ciphers that appear there probably ought be suppressed from your servers. Now, your openssl build might not have exactly the same cipher list as the current scanner, but it's a place to start if the KnowledgeBase suggestions aren't appropriate.)